Cryptojacking: An Overview

Cryptojacking is the process of hijacking someone else’s browser to mine cryptocurrencies with their computer processing power. There are several pieces of software available that do this, including Coinhive, Authedmine and Crypto-Loot. While such tools are not necessarily illegal, the stealth and lack of user consent associated with them has led many to view crypto jacking software as malware; the security firm Malwarebytes, for example, has blocked coinhive[.]com.

This week it was announced that a number of government websites, including the NHS, had been serving cryptojacking malware, meaning that visitors had been unknowingly mining cryptocurrency.

Coinhive

Monero mining is big business; browsers, extensions and mobile apps have all reportedly spread Coinhive in the past few months. Coinhive is a Javascript miner for Monero, a cryptocurrency that has been steadily growing in popularity since 2014. In January 2018, a proof of concept called CoffeeMiner was released, which allows actors to access public Wi-Fi networks and mine cryptocurrencies.

More recently, a malvertising campaign targeted Google’s DoubleClick advertising tool to compromise adverts and distribute Coinhive. The sharp increase in use of Coinhive miners correlated to an increase in traffic to five malicious domains, which was subsequently linked back to DoubleClick advertisements.

Crypto Jacker: A New WordPress Plugin

A new product called Crypto Jacker looks combine Coinhive, Authedmine and Crypto-Loot and incorporate these into a WordPress plugin with added Search Engine Optimization (SEO) functionality. The domain cryptojacker[.]co was registered on November 30th, 2017 and seeks to sell a one-time version of the Crypto Jacker software for $29. With the software purchased, users can install Crypto Jacker on an unlimited number of their domains.

Figure 1: The Crypto Jacker software

Crypto Jacker “provides a way to earn crypto currency from people who visit your links, even when you’re sharing other websites that you don’t own. We even cloak your website links for your (sic.) so they look like the original shares on social media.” This is done by using an iframe to clone content from popular website, as shown in Figure 2.

Figure 2: The user interface of the Crypto Jacker plug-in

There are a couple of things Crypto Jacker does to increase traffic to the site.

Users can load the Meta Data from the destination url, making it feature highly in search engine rankings.

“Social Cloaking” (as Shown in Figure 3) makes the imitation link appear to be from the original destination source, increasing the likelihood of clicks.

Figure 3: Crypto Jacker’s “social cloaking” demonstration video

It’s unsurprising that Crypto Jacker has these SEO features, given other pieces of software under the name Thomas Witek (the author of Crypto Jacker) include “Click Jacker”, “Link Cloaker”, and “Gram Poster”. This shift in the business model to focus on cryptocurrency mining instead of advertising is explicitly referenced on the website: “advertising on the web is difficult to profit from….why shouldn’t you mine crypto coins.” This is part a broader shift towards cryptocurrency fraud by a variety of actors that we have provided a more detailed analysis of in our recent research report, The New Gold Rush: Cryptocurrencies are the New Frontier of Fraud.

Scam or Legitimate?

Is this a scam? It’s possible that Crypto Jacker is a ruse to cash in on web developers’ interest in cryptocurrency mining. This review questions the nature of the site itself.

Our own tests of the demo website (paidallday[.]com/what-you-need-to-know-about-bitcoin), shown on the Crypto Jacker website, shows that cryptocurrency mining is likely taking place. As shown in Figure 4, the website appeared to have the plugin “cj-plugin”, which launched the “cryptoloot.pro” script. When we visited the site, CPU usage increased significantly to 50% (as shown in Figure 5). While this does not confirm the Crypto Jacker product is legitimate, it does add some credibility to their claim.

Interest in cryptocurrencies shows no sign of slowing down and, while Crypto Jacker does not appear to have developed a large user base, its emergence – if legitimate – is an attempt to lower the barrier to entry for those looking to use stealthy cryptocurrency mining software.

Protect yourself from Crypto mining

1. Have a reputable ad blocker

Organizations that do not wish to be “crypto jacked” and inadvertently mine cryptocurrency should ensure they have a reputable ad blocker in place. Consider ad blockers such as AdBlock, AdBlock Plus, 1Blocker, and UBlock. The NoCoin browser extension was also developed to block coin miners such as Coinhive.

2. Apply patches to known vulnerabilities

Organizations should apply patches and mitigation to known vulnerabilities as these can be used to deliver crypto miners. In December 2017 PyCryptoMiner, for example, began exploiting a vulnerability affecting JBoss servers that was first discovered in October. More recently, a Struts server exploit has been used for Monero mining. Sites such as the US CERT, the National Vulnerability Database and MITRE can provide the latest information on newly disclosed vulnerabilities. Red Hat Software provided mitigation advice for the JBoss vulnerability exploited by PyCryptoMiner. Patches for the Struts vulnerabilities are also available.